While federal agencies are under increasing pressure to meet security best practices, such as National Institute of Standards and Technology (NIST) security guidance and standards, supply chain organizations further down the pipeline may escape direct observation, making it easy to avoid costly IT changes. A recent BitSight survey compared the security performance of 120 agencies to 1,200 contractors. It found a performance gap of at least 15 points on a cybersecurity risk assessment scale of 250–900, with higher scores equating to stronger security posture.